repeated connection attempts blocked by firewall

G

George Valkov

Hello!
I woke up this morning, started my DSL modem (takes new IP from DHCP), and
started my PC (behind hardware firewall). I noticed a lot of in-bound
traffic filtered by the firewall.
And so, I checked the firewall log file:
http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
and noticed that a few hosts are trying to access some service - mostly
TCP:12824 that is filtered by the firewall. Being filtered means that they
cannot determine if there is a host, unless they send a PING for it.

My question is:
is the client software that stupid to repeat connection every quarter of a
second?
or is that some attack against the previous owner of that IP?
or is that some Trojan client trying to access server on previous owner of
that IP?
or why is that behaviour?
It makes no sense repeating the connection attempt that frequently, unless
trying to flood the other side. Which also does not make sense because this
IP is being assigned to clients of the ISP and not to a server, and flood
attacks are usually used to prevent access to a specific server.

My action was to reset the DSL modem again and take a new "clean" IP for the
DSL modem.

I am also going to ask my ISP to configure the modem not to respond to ICMP
packets.



Thank you for any information and shared knowledge!

George Valkov
 
J

Jack \(MVP-Networking\).

Hi
If you are referring to traffic trying to come in, it is probably regular
Internet and ISP noise and as long as it does not impede your connection it
can be ignored.
Jack (MVP-Networking).
 
G

George Valkov

Yes it is and since my PC is firewalled id can be ignorred, except the part
thet it fills the firewall's entire log-file pretty fast. Resetting the DSL
modem to take a new IP as also an easy game...

Next time I'll let it go into the Network protocol analyzer, to see what's
iside :)



:
| Hi
| If you are referring to traffic trying to come in, it is probably regular
| Internet and ISP noise and as long as it does not impede your connection
it
| can be ignored.
| Jack (MVP-Networking).
|
| | > Hello!
| > I woke up this morning, started my DSL modem (takes new IP from DHCP),
and
| > started my PC (behind hardware firewall). I noticed a lot of in-bound
| > traffic filtered by the firewall.
| > And so, I checked the firewall log file:
| > http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
| > and noticed that a few hosts are trying to access some service - mostly
| > TCP:12824 that is filtered by the firewall. Being filtered means that
they
| > cannot determine if there is a host, unless they send a PING for it.
| >
| > My question is:
| > is the client software that stupid to repeat connection every quarter of
a
| > second?
| > or is that some attack against the previous owner of that IP?
| > or is that some Trojan client trying to access server on previous owner
of
| > that IP?
| > or why is that behaviour?
| > It makes no sense repeating the connection attempt that frequently,
unless
| > trying to flood the other side. Which also does not make sense because
| > this
| > IP is being assigned to clients of the ISP and not to a server, and
flood
| > attacks are usually used to prevent access to a specific server.
| >
| > My action was to reset the DSL modem again and take a new "clean" IP for
| > the
| > DSL modem.
| >
| > I am also going to ask my ISP to configure the modem not to respond to
| > ICMP
| > packets.
| >
| >
| >
| > Thank you for any information and shared knowledge!
| >
| > George Valkov
| >
| >
|
|
 
G

George Valkov

I'll let it talk to a netcat server, just to make it even more realistic ;-)

:
| Hi
| If you are referring to traffic trying to come in, it is probably regular
| Internet and ISP noise and as long as it does not impede your connection
it
| can be ignored.
| Jack (MVP-Networking).
|
| | > Hello!
| > I woke up this morning, started my DSL modem (takes new IP from DHCP),
and
| > started my PC (behind hardware firewall). I noticed a lot of in-bound
| > traffic filtered by the firewall.
| > And so, I checked the firewall log file:
| > http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
| > and noticed that a few hosts are trying to access some service - mostly
| > TCP:12824 that is filtered by the firewall. Being filtered means that
they
| > cannot determine if there is a host, unless they send a PING for it.
| >
| > My question is:
| > is the client software that stupid to repeat connection every quarter of
a
| > second?
| > or is that some attack against the previous owner of that IP?
| > or is that some Trojan client trying to access server on previous owner
of
| > that IP?
| > or why is that behaviour?
| > It makes no sense repeating the connection attempt that frequently,
unless
| > trying to flood the other side. Which also does not make sense because
| > this
| > IP is being assigned to clients of the ISP and not to a server, and
flood
| > attacks are usually used to prevent access to a specific server.
| >
| > My action was to reset the DSL modem again and take a new "clean" IP for
| > the
| > DSL modem.
| >
| > I am also going to ask my ISP to configure the modem not to respond to
| > ICMP
| > packets.
| >
| >
| >
| > Thank you for any information and shared knowledge!
| >
| > George Valkov
| >
| >
|
|
 
C

Chuck

Hello!
I woke up this morning, started my DSL modem (takes new IP from DHCP), and
started my PC (behind hardware firewall). I noticed a lot of in-bound
traffic filtered by the firewall.
And so, I checked the firewall log file:
http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
and noticed that a few hosts are trying to access some service - mostly
TCP:12824 that is filtered by the firewall. Being filtered means that they
cannot determine if there is a host, unless they send a PING for it.

My question is:
is the client software that stupid to repeat connection every quarter of a
second?
or is that some attack against the previous owner of that IP?
or is that some Trojan client trying to access server on previous owner of
that IP?
or why is that behaviour?
It makes no sense repeating the connection attempt that frequently, unless
trying to flood the other side. Which also does not make sense because this
IP is being assigned to clients of the ISP and not to a server, and flood
attacks are usually used to prevent access to a specific server.

My action was to reset the DSL modem again and take a new "clean" IP for the
DSL modem.

I am also going to ask my ISP to configure the modem not to respond to ICMP
packets.



Thank you for any information and shared knowledge!

George Valkov
Click to expand...

George,

Whenever I see an access attempted against a specific port, I look it up in the
ISC / SANS database.
http://isc.sans.org/port.html?port=12824

That shows 2 things:
1) There is an increasing amount of traffic against that port, being reported.
2) Nobody knows what it is (If an attack port is known it will be identified
here, if anywhere).

Bottom line is, you aren't alone. Watch the ISC page for updates.
 
G

George Valkov

:
|
| >Hello!
| >I woke up this morning, started my DSL modem (takes new IP from DHCP),
and
| >started my PC (behind hardware firewall). I noticed a lot of in-bound
| >traffic filtered by the firewall.
| >And so, I checked the firewall log file:
| >http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
| >and noticed that a few hosts are trying to access some service - mostly
| >TCP:12824 that is filtered by the firewall. Being filtered means that
they
| >cannot determine if there is a host, unless they send a PING for it.
| >
| >My question is:
| >is the client software that stupid to repeat connection every quarter of
a
| >second?
| >or is that some attack against the previous owner of that IP?
| >or is that some Trojan client trying to access server on previous owner
of
| >that IP?
| >or why is that behaviour?
| >It makes no sense repeating the connection attempt that frequently,
unless
| >trying to flood the other side. Which also does not make sense because
this
| >IP is being assigned to clients of the ISP and not to a server, and flood
| >attacks are usually used to prevent access to a specific server.
| >
| >My action was to reset the DSL modem again and take a new "clean" IP for
the
| >DSL modem.
| >
| >I am also going to ask my ISP to configure the modem not to respond to
ICMP
| >packets.
| >
| >
| >
| >Thank you for any information and shared knowledge!
| >
| >George Valkov
| >
|
| George,
|
| Whenever I see an access attempted against a specific port, I look it up
in the
| ISC / SANS database.
| http://isc.sans.org/port.html?port=12824
|
| That shows 2 things:
| 1) There is an increasing amount of traffic against that port, being
reported.
| 2) Nobody knows what it is (If an attack port is known it will be
identified
| here, if anywhere).
|
| Bottom line is, you aren't alone. Watch the ISC page for updates.

Hello Chuck!
A few months ago, a link on you web site
http://nitecruzr.blogspot.com/
already led me to
http://isc.sans.org/
And there is also the Shields up at
https://www.grc.com/
These three are great places! :) Thank you very much! :)

George Valkov
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IP scanner shows lots of 'live' IP addresses on my DSL--why? 10
Firewall problem when sharing internet connection 4
DSL modem's IP must be outside the router's subnet? 4
2 dsl connections on 1 pc 3
Help with shield router 5
Domain Services between main & remote offices 2
Configuring a VPN connection 1
configuring a wifi router to work with a DSL modem... 4

Top